On 11/19/12 11:01 PM, Daniel Holth wrote:
Unfortunately the whole signed mirror system falls down because it
relies on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although
the signing key seems to be long enough. What would it take to get
SHA-2 (or 3) added?
No, the mirroring protocol use SHA
http://www.python.org/dev/peps/pep-0381/#mirror-authenticity
The md5 hash is only a crc-check added in the tarball url
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
